Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Adding Exposed headers for CORS

By default, when doing CORS ajax request, following headers will be available:

 - Cache-Control
 - Content-Language
 - Content-Type
 - Expires
 - Last-Modified
 - Pragma


[more info - point 4](

if we need to read anything else from headers (even-thou they are returned) we need to provide `Access-Control-Expose-Header`, otherwise browsers will not allow to get these headers from xhr response.

Exact case: [SO question](

Im not sure if there are other headers that will need to be exposed, but `Location` is required for getting information about created projection
  • Loading branch information...
commit d12e0ccc05bba0b9a617458e2d4de8ce5e2dd728 1 parent b60acad
@Gutek Gutek authored
1  src/EventStore/EventStore.Transport.Http/EntityManagement/HttpEntityManager.cs
@@ -162,6 +162,7 @@ private void SetRequiredHeaders()
HttpEntity.Response.AddHeader("Access-Control-Allow-Methods", string.Join(", ", _allowedMethods));
HttpEntity.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, X-Requested-With, X-PINGOTHER, Authorization");
HttpEntity.Response.AddHeader("Access-Control-Allow-Origin", "*");
+ HttpEntity.Response.AddHeader("Access-Control-Expose-Headers", "Location");
if (HttpEntity.Response.StatusCode == HttpStatusCode.Unauthorized)
HttpEntity.Response.AddHeader("WWW-Authenticate", "Basic realm=\"ES\"");
Please sign in to comment.
Something went wrong with that request. Please try again.